November 18, 2017 | Written by: Adewale Omoniyi
Categorized: U.S. federal government
For public- and private-sector blockchain initiatives, blockchain technology must contend with technological, governance and regulatory challenges. For all its business transformational values, immutability, distributed transactions, cryptography, provenance, etc., pertinent issues around governance, advocacy, SmartContracts development, and securing blockchain applications at the edges still must be resolved for blockchain to garner mainstream adoption.
Part I of this two-part abstract describes IBM’s Global Business Services’ (GBS) cybersecurity perspective on aligning blockchain cybersecurity principles that use an enterprise risk-based approach to permissioned blockchain application development.
Part II depicts the use of the blockchain platform to build innovative cybersecurity solutions and services across multiple disciplines.
Part I: Blockchain Security Assurance
Governance Risk and Compliance – SmartContract Management
In an age of first-mover advantage, first-to-market institutions across all vertical industries ignore game-changing technologies at their peril. Conventional wisdom suggests that those who move quickly to embrace disruptive technologies benefit the most from them. Blockchains and distributed ledger technologies represent a paradigm shift, offering a single version of the truth across complex, disparate ecosystems and processes, thereby achieving shared business value, reducing cost, lowering risk and enabling new business models.
The technology dramatically expands access for new entrants into the global marketplace. Securing transactions is critical to adoption of the blockchain protocol. However, traditional approaches to managing blockchain-based application risks and maintaining security situational awareness largely remain unsolved. While there have been several exploits to blockchain applications to date, it is worth noting that the they were not on the blockchain technology itself, but rather targeted SmartContracts (business logic defined in code, intended to facilitate, verify, or enforce contract negotiation) and applications at the edges of blockchain networks.
Blockchain Cybersecurity Assurance
As organizations evolve and application development and deployment of blockchain technology proliferate, invariably applications, interfaces, and SmartContract complexity increases, thus increasing risk to blockchain applications. Therefore, there’s a need for comprehensive risk management and cybersecurity assurance programs for blockchain applications that support skilled cybersecurity professionals with strategy, governance, regulations, and compliance processes.
Blockchain application developers, together with development operations (DevOps) teams, must consider whether they have the right tools for security and privacy compliance. The industry, as a whole, must examine the security landscape to identify security risks, develop threat modeling tools, establish roadmaps to harden the security posture, and deploy technologies to mitigate risks.
Figure 1 below depicts a blockchain cybersecurity assurance model that addresses blockchain risks based on a domain-specific, risk-based defense methodology and cybersecurity implementation best practices:
Figure 1 Overview of blockchain security assurance services
- SmartContract governance and risk assessment – Defining and aligning the security program to blockchain application and ecosystem DevOps by cybersecurity methodologies and NIST’s risk management frameworks;
- Data security and privacy assessment – Analyzing blockchain application data sets, thus informing legal, policy and regulatory issues, on- and off-chain design considerations, liability and enforceability issues;
- Key management – Implementing public key infrastructure and associated key management lifecycle management services, including certificate revocation, generation, destruction, etc.;
- Blockchain application threat modeling and secure coding assessments – Analyzing blockchain network participant ecosystem design, securing micro-services: Service-to-service security; application programming interfaces; access controls; and business associate agreements;
- Certification and accreditation and authority to operate blockchain business network – Understanding and applying risk-based procedures for evaluating, describing, documenting, testing, and authorizing blockchain applications and business networks;
- Blockchain cybersecurity intelligence and operations – Continuously monitoring, detecting, analyzing, diagnosing, and mitigating threats to gain insights into the blockchain threat exposure and prevent incidents; and
- Incident response – Developing incident response orchestration plan; effectively activating people, processes, and technologies to respond to and recover from security breaches impacting the confidentiality, integrity, or availability of enterprise blockchain applications.
About the author
Adewale Omoniyi is a senior managing consultant, biometrics and cybersecurity, IBM Global Business Services (GBS). He leads IBM U.S. Federal’s healthcare cybersecurity initiatives and GBS’s public service blockchain initiatives. Adewale earned his M.B.A. in strategy and global business at New York University and his undergraduate degree in management and information systems from Temple University. His cybersecurity certifications include CISSP, CISM, and CRISC.